Skip to content

Confusion and Diffusion

Table of contents

Open Table of contents

What it is

Claude Shannon, the “father of information theory” identified Confusion and Diffusion as the two properties necessary to construct a secure (symmetric) cipher.

Using both properties together ensures that tools such as statistical analysis won’t give an attacker any significant advantage when trying to break the cipher.

It’s important to stress that both, Confusion and Diffusion have to be used together to thwart Cryptanalysis. If only one is present, it can still be possible to break the cipher.

Concatenations of Confusion and Diffusion in a setup with multiple rounds are called Product Ciphers.

Product Cipher using concatenations of Confusion and Diffusion

Well-known Product Ciphers are the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES).


The goal of confusion is to obfuscate the linkage between the key and the ciphertext.

With confusion each bit of the generated ciphertext should depend on multiple bits of the key.

In modern day ciphers such as DES or AES this is done via Substitution Boxes.


The goal of diffusion is to hide statistical properties of the plaintext.

With diffusion, one tries to impact as many ciphertext bits as possible when only one bit of the plaintext is changed (and vice versa). This is oftentimes also referred to as the Avalanche Effect.

In DES diffusion is implemented as bit permutations via Permutation Boxes whereas in AES Mixcolumn operations are used.

The relationship to substitution and permutation

Confusion directly maps to the implementation of substitution (e.g. via Substitution Boxes (also known as an “S-Box”)) whereas diffusion can be mapped to the integration of permutation (e.g. via Permutation Boxes (also known as a “P-Box”)).

In modern day ciphers multiple of such substitution-permutation layers are chained together to form Substitution-Permutation Networks that provide strong confusion and diffusion properties.

To read more about substitution and permutation you can check out the dedicated blog post here.

Using one without the other

As stated in the introduction, it’s important to make use of both, Confusion and Diffusion when implementing strong ciphers.

To show, why that is let’s take a look at the infamous Caesar Cipher in which each letter of the plaintext is replaced with a letter nn positions shifted to the left (or right). Letters that would “fall off” at the start or end simply wrap-around.

To encrypt a word, one simply writes down the word and then shifts all the letters nn positions to the right (or left). To decrypt the word, one has to do the reverse (shift all the letters of the ciphertext nn positions to the left (or right)).

As an example, let’s say that we shift characters 7 positions to the right so that a is replaced with h, b with i, etc. (in this case n=7n = 7).

The word hello is then encrypted as olssv. Taking olssv and shifting the characters n=7n = 7 positions left results in the plaintext hello.

Looking at this it’s easy to see that nn is the key for encryption and decryption.

While this cipher has properties of confusion (we’re trying to hide the linkage between the ciphertext and the key) it’s trivial to break by doing a statistical analysis on the ciphertext to see how often certain characters appear. The letter most often used in the English language is “e”, for example. Following this procedure we can figure out which ciphertext letter would map to “e”, for example. Repeating this for other letters would allow us to trivially decrypt the ciphertext.

Of course, it’s even easier to break the Caesar’s Cipher with a brute-force attack by trying out each potential key but that wouldn’t highlight how a statistical analysis can be performed on the ciphertext even if some simple form of confusion is used.


The following resources have been invaluable for me to learn the concepts discussed in this article.

You should definitely give them a read if you want to dive deeper into the topic.